You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
'Compliant Solution' in the asciidoc of EC72 "Avoid SQL request in loop" suggests using String concatenation of user-supplied values and createStatement for building & executing a SQL query. Both are discouraged, as they are frequent sources of injection vulnerabilities. (Also, the code would not compile - baseQuery and query variables are mixed up.) This lowers acceptance & credibility of the ecoCode rules.
Expected behavior
Provide a 'Compliant Solution' that compiles and promotes secure coding practices.
See e.g. https://www.baeldung.com/java-jdbc-preparedstatement-in-clause section 3.2, "IN Clause With Stream".
(Section 3.3 uses functionality that most SQL connectors don't implement.)
Describe the bug
'Compliant Solution' in the asciidoc of EC72 "Avoid SQL request in loop" suggests using String concatenation of user-supplied values and createStatement for building & executing a SQL query. Both are discouraged, as they are frequent sources of injection vulnerabilities. (Also, the code would not compile - baseQuery and query variables are mixed up.) This lowers acceptance & credibility of the ecoCode rules.
Expected behavior
Provide a 'Compliant Solution' that compiles and promotes secure coding practices.
See e.g. https://www.baeldung.com/java-jdbc-preparedstatement-in-clause section 3.2, "IN Clause With Stream".
(Section 3.3 uses functionality that most SQL connectors don't implement.)
Reference
ecocode-rules-specifications/src/main/rules/EC72/java/EC72.asciidoc
The text was updated successfully, but these errors were encountered: